binfmt_elf: safely increment argv pointers - openslx/kernel-qcow2-linux.git

diff options

author	Kees Cook	2017-07-11 00:52:54 +0200
committer	Linus Torvalds	2017-07-11 01:32:36 +0200
commit	67c6777a5d331dda32a4c4a1bf0cac85bdaaaed8 (patch)
tree	c5ae9869b8e0a3e81091bb08597ea54346655824 /kernel/signal.c
parent	s390: reduce ELF_ET_DYN_BASE (diff)
download	kernel-qcow2-linux-67c6777a5d331dda32a4c4a1bf0cac85bdaaaed8.tar.gz kernel-qcow2-linux-67c6777a5d331dda32a4c4a1bf0cac85bdaaaed8.tar.xz kernel-qcow2-linux-67c6777a5d331dda32a4c4a1bf0cac85bdaaaed8.zip

binfmt_elf: safely increment argv pointers

When building the argv/envp pointers, the envp is needlessly pre-incremented instead of just continuing after the argv pointers are finished. In some (likely impossible) race where the strings could be changed from userspace between copy_strings() and here, it might be possible to confuse the envp position. Instead, just use sp like everything else. Link: http://lkml.kernel.org/r/20170622173838.GA43308@beast Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Rik van Riel <riel@redhat.com> Cc: Daniel Micay <danielmicay@gmail.com> Cc: Qualys Security Advisory <qsa@qualys.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Dmitry Safonov <dsafonov@virtuozzo.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com> Cc: Masahiro Yamada <yamada.masahiro@socionext.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Diffstat (limited to 'kernel/signal.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: